Hi,
I noticed that if I set the OUTPUT policy to DROP, I need to add a few rules by default for SSH, migrations to work if I add another ringX address. Could it be that some rules that gets set by default for INPUT may have been forgotten in output ?
I see the usual ports (8006,22,5900:5999,3129, corosync) for local_network, but what about ring1 if it's set (no SSH there in output). Also that leads to another issue that I brought on myself, it's even worse if we use insecure migrations…
Not an issue for us, we do have a security group allowing what needs to be set, but if one is to enable OUTPUT filtering (which I particularly like to have), some things might be breaking. Might report that on the mailing-list, but wanted to check if I was doing something wrong first!
Cheers,
Gilou
I noticed that if I set the OUTPUT policy to DROP, I need to add a few rules by default for SSH, migrations to work if I add another ringX address. Could it be that some rules that gets set by default for INPUT may have been forgotten in output ?
I see the usual ports (8006,22,5900:5999,3129, corosync) for local_network, but what about ring1 if it's set (no SSH there in output). Also that leads to another issue that I brought on myself, it's even worse if we use insecure migrations…
Not an issue for us, we do have a security group allowing what needs to be set, but if one is to enable OUTPUT filtering (which I particularly like to have), some things might be breaking. Might report that on the mailing-list, but wanted to check if I was doing something wrong first!
Cheers,
Gilou